5

I have project developed using cakephp 1.3 and for testing I used SQL Inject me addon (firefox)

From cakephp manual, what I understood is, the save() and find() methods will automatically protect the data from SQL injection. But while running "SQL inject me" test, I am always getting failures as result.

For ex: Results: Server Status Code: 302 Found Tested value: 1' AND 1=(SELECT COUNT(*) FROM tablenames); -- Server Status Code: 302 Found Tested value: '; DESC users; -- Server Status Code: 302 Found Tested value: 1'1

I have tried with cakephp santize methods, then also I am getting the errors in "sql inject me".

Any help ?

Sample code

$this->data['User'] = Sanitize::clean($this->data['User'], array('encode' => false));
$this->User->save($this->data);
binoy
  • 1,758
  • 3
  • 21
  • 42

1 Answers1

7

How to fix Server Status Code: 302 Found by SQL Inject Me Firefox Addon

that error shows that the sql injection has been prevented. You don't need Sanitize for SQL injection, but for XSS.

Community
  • 1
  • 1
Anh Pham
  • 5,431
  • 3
  • 23
  • 27
  • and not even there sanitize is needed. a simple h() does the trick as well. – mark Aug 09 '11 at 22:27
  • But it is showing as failure. Is there any way to find out the error codes and description. Screen shots http://www.2shared.com/photo/4vu4n-iJ/Results1.html http://www.2shared.com/photo/hPKKrceK/Results2.html – binoy Aug 10 '11 at 13:37
  • 1
    the 9 failures shown there, I believe, is because Cake reacts differently than the addon expects. In the controller, you are redirecting to another page, right? Like the answer in the link I posted, it is a perfectly normal server response. You might want to send your result to the addon's author. – Anh Pham Aug 10 '11 at 19:34